Silicon SheckySilicon Shecky

Author Archive

Security – Open Source vs. Closed: It’s a matter of eyes

by on Apr.14, 2014, under Rants, Security, Software

For years there has been the whole what is more secure, Open or Closed source? Microsoft has and still takes a beating over this. Truth, though, is a different thing.

We all have heard of Heartbleed by now. The 2 year old security gap in OpenSSL has been all over the news. During all of this, a hole in the much loved Chrome browser that will allow websites to turn on your microphone and record what you are saying was announced. Another bug that had been around for a while (August 2013). Meanwhile, the hated entity known as Microsoft has been pretty much unaffected by these issues. Maybe it is time to remove our preconceived and ancient thought over security in the Open vs. Closed Source world.

The argument has been, from what I have heard and can tell, that Open Source is more secure because you have more eyes looking at it. The code is open and out there so people can find the issues faster and with the collaborative nature of Open Source, will be patched faster. Truth of the matter, as has been shown over the past week, is that it is not the case, and security holes can get past this set of checks and balances just as they can in any Closed Source system. The surprising thing is how long it has taken to find Heartbleed. One would think, with all those eyes looking at the code, that it would have been found much sooner. Of course this has led to the theories of the bug being an NSA backdoor. True or not, the code was still out there for everyone to see.

Chrome is a slightly different issue. Here is a bug that was found over 6 months ago, that still hasn’t been patched. It was brought to Google’s attention and they sat on it. Could this be another NSA (or insert your favorite Government agency here) backdoor? A way to spy on you without warrants? We will never know for sure, but it does show one major hole. Our thinking of Open Source and security is not completely correct. It is not the be all end all.

What has been lost in this is that Microsoft, and its Closed Source implementations of SSL have been free and clear of the Heartbleed problem. Microsoft at one time was awful with security. In this day and age though, it has gotten a lot better. It is responsive to holes, and the amount of out-of-band patches and workarounds for Zero Days is quite speedy. In fact the biggest security holes in Microsoft systems, is usually Java and/or Flash. Flash is still Closed Source, but Java was at one point more open. Java also is embedded in the web very deep. Try using NoScript at it’s tightest levels and see how much of websites get blocked, and how many websites complain about Java not being turned on. Yet through all of this, Microsoft is the one that still takes the blame, especially in the public’s eye. That is because we, the ones in the know, have done little to reeducate the public, and ourselves.

Do not get me wrong. I have nothing but love for the Open Source community. Collaborative efforts are awesome, and the community puts out some fantastic software, and alternatives to Closed Source (and overpriced) programs. It just has to be realized that it is no more secure than Closed Source. In the end it is all about the eyes on the code and the people looking for the holes. Remember Security is a process, not a destination.

Leave a Comment :, , , , , more...

Why new PCs? These are good enough!

by on Mar.25, 2014, under Computers, Rants

The people that work in the IT field know about upgrading and updating computer equipment. The SMB owners.. not so much.

I’ve had a couple interesting experiences recently with clients. I was busy trying to tell them that Windows XP was no longer going to be supported and that they should get new PCs. One client wanted pricing also for upgrading their current Core2 Duo PCs. We got them quotes for both, showing a difference of $800 total between upgrading multiple PCs and just getting new ones. Now we wait to see if they make the right choice.

The other client flat out told me that his server and PCs should last them 10-15 years. Nothing I said changed that idea in his mind. I fear for this client as they already have been hacked (see my previous post about that), and of course are setting themselves up for more pain like that.

I let my clients know that every 3-5 years they should be getting new computer equipment. Not only will they get faster machines with newer OSes that should be more secure, but their efficiency will be as good if not better, and they will have machines that are back under warranty. Now I understand that in a world where big ticket purchase do tend to last a long time (Cars, TVs, Appliances, etc…), they feel that should be the same way with computers. Add on that leasing the equipment doesn’t make a lot of sense financially either. So what is one to do, outside of explain to them the reality of the situation.

First off, set a hard date for when you will stop supporting the older OSes, and let your clients know that date. This not only gives them a solid time frame for which to make the changes, but puts the pressure on them.

Second, explain how going to newer equipment makes sense. Touch on speed of the new machines, security, warranties, and that the competition won’t wait for them to catch up.

Finally, let them know that the cost to upkeep the old equipment is not worth it. In the long run they save more by staying current with their equipment, especially as parts become rare.

There is no way to force a company to purchase newer equipment. The bottom line on all of this is to get the higher ups to understand that old equipment hurts the company in the long run. Hopefully, they are willing to listen to you, after all they have brought you on as the expert.

Leave a Comment :, , , , more...

We’ve been Hacked! A Client’s issue

by on Jan.25, 2014, under Security

I deal with a lot of small businesses and getting them to understand security risks of old software and why hackers would want to hack them is difficult at best. Recently one client of mine learned the hard way.

Money they say is the root of all evil, and for SMBs a root of security problems. They do not want to spend money to upgrade PCs and servers until the last possible minute before they crash out. You tell them that they are insecure because of the old systems, and they come back with, “We are small and have nothing that a hacker would want.” This is due to the way hacks are presented in the media. All you hear about are the hacks of government systems, or large companies that have credit card data. SMBs don’t have huge secrets (most of the time), and just don’t get it.

This attitude recently bit one of my clients in the rear big time. They noticed that things were running slow on their SBS2003 server. they also noticed a bunch of new user accounts set up on the server. We would delete the accounts and they would say, ok, we will watch for this to happen again. I ran malware detection programs such as Malwarebytes on their machines and server to find nothing more than a couple of tracking cookies and a few common adware toolbars. I’d remove these and we would then wait. The waiting is the hardest part. Finally it became so annoying they asked what we could really do, as they were not spending money on a new system. So, at their behest, I went on site where I could focus on the task at hand without being disturbed by other clients, and watch the system from the console. That is where the fun really began.

I started off using process explorer to just take a general look at the system health. I noticed the CPU was being heavily used, but I have seen that on SBS servers before, usually because of e-mail coming in and being scanned, or SQL databases being used. Still,. I kept Process explorer open and opened the Terminal Server manager, where I noticed a clue to what was happening.

In the matter of minutes I watched a listener connect and disconnect, an obvious brute force attack on remote access for the server. this prompted me to open up Wireshark and take a look at incoming connections. This is what I saw:

primecoin wireshark

A quick check online of this IP Address showed it to be in Germany. Now why would someone from Germany try to brute force this small company? Well the next clue was hiding in plain site.

The problem with working in the IT field is overconfidence. It is what makes us overlook the obvious. In this case I was not noticing something in Process Explorer.

Process Explorer hack primecoin

Yes the suspended processes in the screen shot were the culprits. Don’t they look like normal Windows Processes though? They key was their actual path. Svchost.exe normall resides in C:\Windows\System32, but in the case of the processes I suspended they were located in c:\Windows\System. Odd I thought so I went to the C:\Windows\System directory and noticed a bunch of files I had not seen before, including a subdirectory. I double checked on a different client’s SBS2003 server (Yes I have a few that still run it), and sure enough, the subdirectories and extra files I had found were not supposed to be there. The System directory is not supposed to have any subdirectories at all. Add on that one of the directories was called Primecoin. Well a quick Google search revealed that Primecoin is a Bitcoin competitor, and obviously that the mining of Primecoins was the reason people were interested in this server.

The WMIAPSRV.exe seen above actually had the handles below:

Type    Name
Desktop    \Default
Directory    \BaseNamedObjects
Directory    \KnownDlls
Event    \BaseNamedObjects\crypt32LogoffEvent
File    \Device\WMIDataDevice
File    \Device\Tcp
File    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca
File    \Device\Tcp
File    \Device\Afd
File    \Device\Afd
File    \Device\Afd
File    \Device\Tcp
File    \Device\Afd
File    C:\WINDOWS\system\Primecoin\chainstate\015178.sst
File    \Device\NamedPipe\uRGbKdRczuUDzDTuzx7VIdviMwLONGGIPD6f3it5Br5zV6wrIiu37N5igtR6IoSJe62SrbPkkc3byxULtHhVzwGwlQ1jmxJLyTpomhoKfpPkJ4yyIArQA4
File    \Device\NamedPipe\AwB7B3gyoJxp8Jk4WcCDjrJzOto8OOwUfuQr9g7csXW2ql7KI6Pbd26p9VHiIEJPO1PVE4nABknBmzUIQ8dlkWwaKO6fU4LJXp5CprT4CxPbJFToZaCb6e
File    C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca
File    \Device\WMIDataDevice
File    \Device\WMIDataDevice
File    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_5.82.3790.5190_x-ww_D21E1F39
File    C:\WINDOWS\system\Primecoin\chainstate\015181.sst
File    C:\WINDOWS\system\Primecoin\chainstate\015183.sst
File    \Device\Tcp
File    \Device\Afd
File    \Device\Afd
File    \Device\Tcp6
File    \Device\Afd
File    \Device\Afd
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Afd
File    \Device\Afd
File    \Device\Tcp
File    \Device\Afd
File    \Device\Tcp
File    \Device\Afd
File    \Device\Afd
File    \Device\Tcp
File    C:\WINDOWS\system\Primecoin\chainstate\015179.sst
File    C:\WINDOWS\system\Primecoin\chainstate\015180.sst
File    \Device\Tcp
File    C:\WINDOWS\system\Primecoin\chainstate\015182.sst
File    C:\WINDOWS\system\Primecoin\chainstate\015177.sst
File    C:\WINDOWS\system\Primecoin\database\log.0000000004
File    C:\WINDOWS\system\Primecoin\database\log.0000000004
File    C:\WINDOWS\system\Primecoin\chainstate\015176.sst
File    C:\WINDOWS\system\Primecoin\wallet.dat
File    C:\WINDOWS\system\Primecoin\wallet.dat
File    C:\WINDOWS\system\Primecoin\chainstate\015175.sst
File    \Device\Tcp
File    \Device\Tcp
File    C:\WINDOWS\system\Primecoin\blocks\index\003151.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\003150.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007322.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007321.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007320.sst
File    \Device\Tcp
File    C:\WINDOWS\system\Primecoin\blocks\index\007317.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007374.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006726.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004791.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006724.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006723.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006722.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007323.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006720.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006719.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006718.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\006717.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007373.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004800.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004799.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007372.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004798.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004797.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004796.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004795.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007371.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004794.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004793.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\004792.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007319.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007370.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007376.sst
File    C:\WINDOWS\system\Primecoin\chainstate\MANIFEST-015172
File    C:\WINDOWS\system\Primecoin\chainstate\015174.log
File    C:\WINDOWS\system\Primecoin\chainstate\LOCK
File    C:\WINDOWS\system\Primecoin\chainstate\LOG
File    C:\WINDOWS\system\Primecoin\blocks\index\MANIFEST-007378
File    C:\WINDOWS\system\Primecoin\blocks\index\007379.sst
File    C:\WINDOWS\system\Primecoin\blocks\index\007380.log
File    C:\WINDOWS\system\Primecoin\blocks\index\LOCK
File    C:\WINDOWS\system\Primecoin\blocks\index\LOG
File    \Device\Afd
File    \Device\Tcp
File    \Device\Afd
File    \Device\Tcp6
File    C:\WINDOWS\system\Primecoin\db.log
File    \Device\Tcp
File    C:\WINDOWS\system\Primecoin\debug.log
File    C:\WINDOWS\system\Primecoin\.lock
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\KsecDD
File    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.5190_x-ww_319264BE
File    \Device\Ip
File    \Device\Ip
File    \Device\Ip
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    C:\WINDOWS\system
Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
Key    HKLM\SYSTEM\ControlSet001\Services\MSExchangeAL\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
Key    HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key    HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key    HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key    HKLM\SYSTEM\ControlSet001\Services\MSExchangeAL\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\MSExchangeAL\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\ASP.NET_2.0.50727\Names
Key    HKLM\SYSTEM\ControlSet001\Services\MSExchangeAL\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\MSExchangeAL\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\MSExchangeAL\Performance
Key    HKU\.DEFAULT
Key    HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key    HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key    HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key    HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key    HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key    HKLM
Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Key    HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\MSExchangeAL\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
Key    HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
KeyedEvent    \KernelObjects\CritSecOutOfMemoryEvent
Mutant    \BaseNamedObjects\__PDH_PLA_INSTALL_MUTEX__
Mutant    \BaseNamedObjects\__PDH_PLA_MUTEX__
Process    wmiapsrv.exe(7476)
Semaphore    \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Semaphore    \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread    wmiapsrv.exe(7476): 2080
Thread    wmiapsrv.exe(7476): 6564
Thread    wmiapsrv.exe(7476): 4568
Thread    wmiapsrv.exe(7476): 6860
Thread    wmiapsrv.exe(7476): 6652
Thread    wmiapsrv.exe(7476): 8060
Thread    wmiapsrv.exe(7476): 6780
Thread    wmiapsrv.exe(7476): 7884
Thread    wmiapsrv.exe(7476): 7892
Thread    wmiapsrv.exe(7476): 6076
Thread    wmiapsrv.exe(7476): 6860
Thread    wmiapsrv.exe(7476): 8072
Thread    wmiapsrv.exe(7476): 7892
Thread    wmiapsrv.exe(7476): 6076
Thread    wmiapsrv.exe(7476): 6860
Thread    wmiapsrv.exe(7476): 7884
Thread    wmiapsrv.exe(7476): 6192
Thread    wmiapsrv.exe(7476): 7460
Thread    wmiapsrv.exe(7476): 6916
Thread    wmiapsrv.exe(7476): 7496
Thread    wmiapsrv.exe(7476): 6904
Thread    wmiapsrv.exe(7476): 5016
Thread    wmiapsrv.exe(7476): 6540
Thread    wmiapsrv.exe(7476): 7608
Thread    wmiapsrv.exe(7476): 6708
Thread    wmiapsrv.exe(7476): 6312
Thread    wmiapsrv.exe(7476): 5356
Thread    wmiapsrv.exe(7476): 7160
Thread    wmiapsrv.exe(7476): 3300
Thread    wmiapsrv.exe(7476): 7568
Thread    wmiapsrv.exe(7476): 7568
WindowStation    \Windows\WindowStations\Service-0×0-3e7$

Digging into the folder I found the config file which had a bunch on nodes listed in it:

rpcuser=user
rpcpassword=pass
rpcport=8001
gen=1
server=1
daemon=1
genproclimit=-1
datadir=C:\windows\system\data
sievesize=1000000
maxconnections=256
rpcallowip=127.0.0.1
addnode=211.233.71.251
addnode=61.56.64.173
addnode=140.116.182.4
addnode=210.242.25.21
addnode=218.211.253.204
addnode=140.127.176.69
addnode=2.228.165.179
addnode=118.96.53.165

This was all fine and good, but removing these files and directories, while cleaning up the system and bringing the processor load down, does not remove the way that they were getting in. Yes we had removed all the obvious fake accounts, but what else were they using? Turns out that when they had gotten the Admin Password cracked, they had enabled a couple of built in accounts, given them admin rights plus created a couple of accounts that sounded like they should be there. The biggest culprit was a built in support account which should have been disabled by default. I proceeded to remove or disable the accounts and reset permissions as needed, along with changing the admin password, and forcing the whole company to change their individual passwords, plus add on factors to the passwords to make them stronger.

There was one last thing to take care of, and that was the brute force attack on the server. I went in and reconfigured the Firewall and the Terminal Services to allow a rather low connection count/retries on the port that we had terminal services open on.

Since going through all these steps, there have not been any signs of the server being hacked. No odd accounts have shown up, no odd directories have shown up, and most importantly the server is running smooth and the CPU has not been spiking. Does this mean they are completely clean? Of course not, but the prognosis is leaning that way. We all know once compromised, a machine is easier to compromise again. Vigilance is the key here, at least until they decide to get a new server.

 

Disclaimer: The client I talk about in this article knows I was going to write about this and have left their name out of the article at their request.

Leave a Comment :, , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!